Seeming all of these will tunnel through port 80 if all other ports are blocked, blocking port 80 isn't going to do much good, as you'll stop web browsing for everybody else....
You need to block access

Seeming all of these will tunnel through port 80 if all other ports are blocked, blocking port 80 isn't going to do much good, as you'll stop web browsing for everybody else....
You need to block access to the AOL, MSN and Yahoo IP addresses directly.

Preventing IM traffic from leaving the network is also difficult. Like Napster, the major IM clients will work quite hard to find a port to exit your LAN, using HTTP if they have to. AIM needs to connect to the host login.oscar.aol.com in order to start up, so blocking traffic to this destination will effectively shut it down. However, at press time, the name login.oscar.aol. com points to the following IP addresses, according to a DNS lookup:

205.188.7.172
205.188.7.176
205.188.7.164
205.188.7.168

You'll need to block all of these and check for any new servers on a regular basis. Yahoo! Messenger can be blocked in a similar way, by killing off outbound access to the hosts answering to the following names:

Each of the above names resolves out to multiple IP addresses-and, of course, Yahoo! can add new addresses at any time, making it an ongoing battle.

MSN Messenger can be blocked by blocking IP access to the Hotmail network range-64.4.0.0 through 64.4.63.255. Interestingly, this does not seem to totally block access to Hotmail's Web-based mail service.

forget trying to block it with an iron fist, there are too many ways around it, your best bet is to go ahead and block the application based ports and have available, in writing, the disciplinary repricussions for using unauthorized software within the standard policy/guidelines. then setup a snort (or whatever) alert for signatures of said chat traffic. make an example of someone you really don't need.

tim_holman is quite right - many newer IM clients will try to tunnel over port 80, and they're getting quite good at disguising their traffic as legitimate HTTP traffic. Or, as the vendors call it, "firewall friendly applications". Not necessarily administrator friendly though... ;o)

You can try blocking the known port numbers, hostnames and IP addresses. But the vendors can change these at will - and in the past, they have done so. It's a moving target.

Droby_10's suggestion of using an IDS, such as Snort, is exactly how I deal with the problem. I can trace the communication back to a specific IP address, prove how long the chat session was open, then contact the user's HR officer with the evidence and a copy of the relevant section of the Acceptable Use Policy.

An even better (read: more expensive) solution is one of the new server appliances that claim to intercept and inspect all IM traffic (e.g. WebWasher). Like an IDS, they use signatures to detect IM traffic. But then like a proxy server, they deny access to users who aren't on an "approved" list.

He is right but I can hardly imagine that companies open up port 80. Mostly it goes over a proxy and then you can avoid these tools by disabling CONNECT method.
And if you have a good workstation policy it can be pretty hard to install tools on your desktop.
Anyhow the solution will not be done on one component only

Steve Gibson's "shoot the messenger" program does not affect Instant Messaging (as noted on the web page, under the heading "Windows Messenger Service"). It won't "block the use of AIM, MSN Messenger, Yahoo Instant Messenger and ICQ", which was the subject here.

Just realised that Microsoft refer to the Instant Messaging program that's bundled with XP as "Windows Messenger", which only adds to the confusion! The Windows Messenger *service* is something different, and is the one addressed by "shoot the messenger".

Even if you block it with TerminatorX or block it with a firewall you won't be blocking web based chat such evreywhere msn (eMsn).... These tools are completly web based and they use http port such any web site... You could block domain but you gonna fall in a infinite "domain blocking" war since these tools are build like an applet....

Droby_10's suggestion is the ONLY completly bullet proof way to block users from chatting.. trust me, they try to block me and they never succed...

An iron fist approach for MSN Messenger is to create a registry key that will prevent the application from running.

HKEY_LOCAL_MACHINE\software\policies\microsoft\

create a new key called Messenger. Create another key under Messenger called Client. Then create a DWORD under client, call it PreventRun and give it a value of 1. this key can be exported to a file and imported into the registry of other computers.

If you are working in a Active Directory domain environment, you could also use the group policy in the domain to prevent the running of specific windows programs. See Microsoft Knowledge Base Article 323525. For example if you want to prevent the use of Yahoo Messenger then the program to inlcude is YPager.exe, if you want to prevent the use of MSN Messenger then the program to include is msmsgs.exe

You are looking at the wrong place in the domain policy. "Don't run specifiied windows applications" is under "User Configuration>Administrative Templates>Systems" folder and not "User Configuration>Administrative Templates>Systems>Group Policy".

Alternatively, look into deploying an ISA server 2000 or even better 2004 - which can allow you to much more with regards to blocking programs, websites, instant messaging, etc from users, computers, groups, etc.

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

to block selected computers, create a new OU container within the AD and move the computers into the new OU container, then create a new GPO preventing the execution of the yahoo messenger and apply the policy to the new OU container containing the group of computers.

I think the best way to stop any messager servers is to have your router or proxy send the request to a messanger service (example login.oscar.aol.com) to a bad private IP address. This will make it as the messanger client will never reach the server and make it stop trying to get there....

well yes that will block access for all computers on the network. It was never really stated if it was for a single pc, multi-PCs, or a whole network. The only other thing you can try is to see if you can do blocking via IP addreess or MAC address and then create filters for those pc(s).

The best way to block all these (not to decipline) is to incorporate either Websense or SurfControl, and at the same time block every port except 80/443. I cannot really imagine why a normal user needs more than just these 2 ports.

You can find out more about them on their websites. They are very similar software and supported by many firewalls. They work as a filter, but based on domain name/ip address. You can set up to block different category such as no access to Adults, Sex, or Internet Chat. Those companies are doing all the hunting work and they update their database very often.

If you do what I suggested:
1. block every port except 80 and 443
2. set up either Websense or SurfControl to block web chat and IM
3. set up either Websense or SurfControl to block proxy servers

The only way a user can get through is to build a Port 80 VPN with his home computer and tunnel through that, but that will be very fancy, and I think if he can do that, you should recruit him to your IT team.

Given that an answer to this question was accepted nearly a year ago, and dcanard (author of the question) hasn't posted here since, is he still reading this? Dcanard - do you still need advice, and if so, what?

In all my years on EE, this is the longest lasting *closed* question ever!!

Websense sits on a server within your network (can be in different subnets or even Internet). Your firewall, which is your gateway typically, intercepts every request and before it allows the request to go through, it checks with the Websense server. If the Websense server decides to deny, no traffic will go through.

If you need to know more about the setup, please leave an email address or something that i can contact you.

You can Use Trustware Antimalware product with the BufferZone that will prevent anything not in your policy to run on the machine .. it's central management and you can create policies to user and allow or prevent runing software .... please be aware that the BufferZone tech allow you to let users run programs with out damaging the windows system by creating a virtual world of this programmes that they will be able to run however without any possiblility to effect any info or system attributes ..

Featured Post

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

If you get continual lockouts after changing your Active Directory password, there are several possible reasons. Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.

Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message. In the To field, type your recipient's fax number @efaxsend.com.
You can even send a secure international fax — just include t…

In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…